===== Lambda Role Policy ===== Variables to change * Region ''us-east-1'' * AWS Account ''123456789012'' * Name ''certgen'' used in * EC2 role name passed to instance * SNS topic name used for notifications * Log group name / Lambda function name * Parameter name for P12 password { "Version": "2012-10-17", "Statement": [ { "Sid": "LaunchEC2Instance", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:us-east-1:123456789012:network-interface/*", "arn:aws:ec2:us-east-1:123456789012:subnet/*", "arn:aws:ec2:us-east-1:123456789012:volume/*", "arn:aws:ec2:us-east-1:123456789012:key-pair/*", "arn:aws:ec2:us-east-1:123456789012:security-group/*", "arn:aws:ec2:*::image/*" ] }, { "Sid": "LimitInstanceType", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:us-east-1:123456789012:instance/*" ], "Condition": { "StringEquals": { "ec2:InstanceType": "t3.micro" } } }, { "Sid": "PassInstanceRole", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::123456789012:role/certgen-role-ec2" ] }, { "Sid": "PublicCertGenTopic", "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": [ "arn:aws:sns:us-east-1:123456789012:certgen" ] }, { "Sid": "CreateLogs", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/certgen*" ] }, { "Sid": "GetPasswordAndAMI", "Effect": "Allow", "Action": [ "ssm:GetParameter" ], "Resource": [ "arn:aws:ssm:us-east-1:123456789012:parameter/certgen/*/p12password", "arn:aws:ssm:us-east-1:*:parameter/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2" ] } ] }